August 2011 Archives

Tue Aug 9 18:34:11 CEST 2011

CVE-2011-0228 and the Opera Mini UI-Design

Recurity Labs received user reports, followed by our own tests, that Opera Mini
is affected by the CVE-2011-0228 X.509 certificate validation issue, orginially
reported for Apple iOS.

Upon filing a bug with Opera Software (ID SKIRNE-136848), we tried to contact
them directly. With some external help, we managed to get in contact with
security people at Opera and received the following interesting statement:

Thanks for reporting an issue with Opera.
While you are correct that Opera Mini does not display a certificate
warning about chains with unknown Root certificates, there is, however,
a significant difference between what happened in iOS and what happens
in Opera Mini. Opera Mini will not indicate that such pages are secure,
that is, no padlock or similar indication is displayed for the web site
affected by this, giving the same security indications as it would for
an unencrypted site, which is the same as would have been displayed if
the user manually accepted the certificate.
Not showing a dialog was a design decision by the Opera Mini team, due
to the transcoder architecture of Opera Mini, and in part the
complexity of having the transcoder (proxy) server display a dialog at
the device and the obtain the result before continuing.
For more about Opera Mini security see
http://www.opera.com/mobile/help/faq/#security.

Reviewing the provided
FAQ URL,
we can learn
that Opera Mini will show a padlock (at the top right corner) if the connection
to the web site was secured. No padlock is shown for unsecured sites using
HTTP.
When testing Opera Mini with
https://iSSL.recurity.com, no padlock is
shown. However, the URL in the address bar still says https:// with no
indication that anything might be wrong with that. Judging from the user
feedback we received, it is not clear to the users that the absense of the
padlock means that the certificate validation failed.
In our emulation environment, we also discovered that on small screen devices,
the padlock might not even be on-screen when loading a site.

Opera could easily display the failed certificate verification using other means
than dialog boxes, e.g. through a red background in the address bar, similar to
Internet Explorer.
Given the current approach, we recommend to not use Opera Mini for
anything requiring a secure connection to a web site, especially considering
that Opera Mini does not provide end-to-end encryption in any case.